At Blake Morgan we want to understand what visitors to our website are browsing to ensure that we continue to produce content that is interesting and of value. We do this using 'cookies', which collect data in an anonymous form and do not contain any sensitive information. Find out more about how we use cookies and how to manage them. Should you continue to use our website, we will assume that you have consented to the use of cookies in accordance with our cookies policy unless you choose to disable the cookies.

The end of Safe Harbor: transferring personal data to the US

The Court of Justice of the European Union has today issued a widely anticipated ruling on the validity of ‘Safe Harbor’.

Under data protection law, organisations must not transfer personal data outside the European Economic Area unless the receiving country “ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data” (the eighth data protection principle). There are various methods of complying with this requirement, one of which is relying on a decision made by the European Commission that a particular country provides adequate protection. In 2000, the Commission made a decision that the Safe Harbor regime, a self-certification scheme for companies based in the US processing personal data transferred from Europe, provides an adequate level of protection for EU citizens (Decision 2000/520/EC).

The case arose from a complaint by Mr Schrems, an Austrian Facebook user, to the Irish Data Protection Commissioner. Mr Schrems alleged that the transfer of his personal data from Facebook Ireland to Facebook’s US parent, made under Safe Harbor, breached his data protection rights. The Irish DP Commissioner refused to investigate, on the grounds that under Irish law he was bound to follow the European Commission’s previous adequacy decision. Mr Schrems applied for judicial review and the Irish High Court made a reference to the CJEU, asking whether the Irish DP Commissioner was bound to follow the Commission’s decision or whether he could investigate the complaint.

The CJEU’s judgment covers two issues:

Can a national data protection authority investigate a complaint relating to a transfer of data to a third party where the Commission has made a decision of adequacy?

The CJEU ruled that the presence of an adequacy decision by the Commission does not prevent national data protection authorities from investigating complaints about the transfer of personal data to countries outside of the EEA. However, only the CJEU can declare a Commission decision invalid. This means that a national data protection authority (the ICO in the UK) must consider complaints relating to data transfers, but cannot overrule the Commission without recourse to the national courts and a referral to the CJEU. The ICO is considering the implications of this aspect of the judgment.

Is Commission Decision 2000/520/EC valid?

The CJEU ruled that the Commission’s decision relating to Safe Harbor is invalid, because it does not meet the requirements for an adequacy decision. In particular, the self-certification method, the ability of the US authorities to override the protections afforded by Safe Harbor and the lack of judicial remedies available to data subjects meant that the decision was flawed. The CJEU reached this decision without reviewing in detail the Safe Harbor principles.

The key implication of the CJEU’s decision is that it is no longer safe to rely solely on Safe Harbor to legitimise transfers of personal data to the US. This does not prevent any transfers of personal data to the US, but it does mean other methods should be considered to ensure compliance. For example, data controllers that have relied on Safe Harbor-certified processors in the US might wish to put in place model contract clauses instead (or use processors based in the EEA). Intra-group transfers from the EU to the US may be legitimised by the use of binding corporate rules. Alternatively, controllers may transfer personal data outside the EEA (including to the US) with the consent of the data subject.

Whilst discussions between the EU and the US continue with a view to negotiating a revised Safe Harbor scheme, and the ICO has acknowledged that it may take some time for businesses to adjust to life after Safe Harbor, data controllers should act quickly to ensure that they comply with data protection legislation.

About the Author

Jon specialises in information governance law and advises on data protection compliance, information sharing and freedom of information issues.

the GDPR will become directly applicable in all EU member states and, despite Brexit negotiations, the UK Government has confirmed that it will be implementing these new rules in full. Designed to be more future-proof than its predecessor.

Blake Morgan LLP (registered number OC392078) is a limited liability partnership registered in England and Wales with its registered office at Harbour Court, Compass Road, North Harbour, Portsmouth PO6 4ST. It is authorised and regulated by the Solicitors Regulation Authority. A full list of its members is available at all of its offices. The term "partner" is used to mean a member of the firm or employee who is a lawyer with equivalent standing and qualifications.